Come on guys: small self-hosted apache/ WordPress server

Posted on September 8, 2025 by ASD Author

The issue should be common enough and at least enough demand.

Isn’t ~user or /user a decently common of a setup for a small personal website? I mean sure, if i go through a big service I can have a virtual host, but,

  • a: they have it pretty much have it setup. Thats http, wordpress, php, nameservice, etc
    (AND the scripts to manage them all)
  • b: they have the experts to walk you though everthing
  • c: they have the experts to program the servers

Me and everyone with my own site selfhosted/home-site/Tiny-Business/Hobby is small time. 10’s vs 100’s a month. 10 of US a month are the people needing help that we can’t get elsewhere. Sure, ten is small, but its also huge because there is no where else for help.

I was about to totally be insecure

Without having a published solution, let alone placing it front n center on the how-to sites for newbies, I was about to totally be insecure. I was like I could just chmod it to 775 or 664, (But that still meant changing the group of the files in my public_html folder).

I kept wondering how sites could do this and still be secure!!!

It would work/be fine with only one user, but then, I might as well just use /var/www.

The issue comes when I want to add a friend, sibling, etc. Now, they would have access to some of my things. Ok, not really, but there’s still a ton of security things file/group ownership. How to run the things in their folder also separately vs the same group or user as my web files.

Why isn’t there at least a mention of it? (The setup how-to’s & errors)

Why isn’t one of the upfront setups a setup for /user or ~user‽
I’ve looked in Apache, WordPress, php, they’re all so confusing. Why? Because no one has published a script/config file for a setup where ~user or /user’s can run scripts as themselves not the default httpd.

FInally found an obscure mention of it. Apache ownership and permissions for wordpress Badically says its insecure, don’t do it. EXCEPT, WHY WHY WHY is it allowed in virtural host setups? ok. let me try setting up <host>/WPsite/ ??? — THIS SHOULD BE AN UP FRONT ANSWER ON How to install WordPress (Via wordpress.org) & Before You Install (Via wordpress.org) the latter links to Changing File Permissions (Via wordpress.org) Unfortuatelly, it casually mentions the insecure/EOL suexec. Ok, it lists all methods:

Popular methods used by sysadmins for this setup are:

  • suPHP, runs through php-cgi, currently unmaintained since 2013.
  • mod_ruid2, apache module, currently unmaintained since 2013.
  • mpm-itk, apache module.
  • mod_fcgid, an Apache module and FastCGI server with more extensive configuration.
  • PHP-FPM, an alternative FastCGI server with shared OPCode, for use with Apache and Nginx.

Again, I’d love to use these options, but I don’t have a DNS name to cause a virtual-host to launch.

Why, it seems like common sense: small multi-user setups do exist

I’m sorry this seems like it should be a common question or set up. I want a small server but I don’t want to host my website in the main server area web server. I want it under my user IE till they user/ or just/ user/.

that way I can have couple of them set up and play around and all that sort of thing, Plus I actually log in to work on some of my sites so it’s not strictly web-based.

the issue I run into is Apache and the PHP files are being run as httpd or Apache or nobody not me as a user but me as a user owns the files

this is a small service or a testing service or whatever so I don’t have a URL for a Patcher to say hey this is a virtual host let’s run it as Xyz in this sandbox

there’s a quote common issue that is often solved by setting permissions better. That setting them correctly is 755 or 644, no it’s not the web server isn’t being run by me the user.

there’s three methods this can be done SU something and something are you ID or something the first one was more secure but depreciated because of its security there’s a second one which hasn’t been appreciated interestingly since the first was supposedly more secure then there is phpf rp

why do I need to go through all that I don’t even know where we’re at

Ways to call a web process as a different user:

  • suPHP run PHP as a user ***DO NOT USE***
    (Depreciated: was EOL by 2014, but still used in 2022. . . 2025 Very rare/only historical)
    • last version suPHP 0.7.2 released 5/20/2013; there is a 0.8.0-pre fork in 2018.
    • Slightly more secure than RUID2:
      in that is builds in some protections i.e. 777/666 protections, and
      starts as the user vs switches to the owner after starting as https’ owner 2
  • mod_ruid2
  • PHP-FPM
    • set php-fpm user and group to website’s owner (NOT SIMPLE/WORKING)
      HOW DO WE TELL apache when to call a particular pool? is “www” the key i.e. the directory parent
      • I misread, I have 2 mpm’s activated (ONLY ONE is allowed); to use PHP-FPM, use mpm_event not mpm_prefork
    • Slackware: THERE IS NO POOL/POOL.D area instead its /etc/php-fpm.d/*.conf
    • TESTING: I setup a <?php echo $username; ?> to see if its working.
      {{Set to a filename.php you know}}
      IT IS PROPERLY SAYING THE USERNAME “apache” 🙂
      Also trying print '<P>' . shell_exec( 'whoami' ) . 'is playing well </p>'; just in case
      Finally a decent test. I DO NOT need a full status of a module {I think}. I just need to see the user its running as. -For now- ; I might eventually need to know if the module is working, but I want to know that its not yet running as x user. Trying to setup the tests were their own issues with dozens of settings when I might not need them.
  • suExec – run CGI as a user (if you run PHP as CGI)
  • mpm_ITK (NOT INSTALLED!!!)

Maybe default setups aren’t using different users???

I took a look at the apache setup samples for vhosts , and none mentioned changing the user.
(Top vhosts page “Apache Virtual Host documentation” on apache.org with 10 links)
Virtual Host examples for common setups

Ok, it is applying by default via virtual host: https://serverfault.com/questions/1118977/configuring-php-fpm-in-apache

ER wait, it is virtual host, but using /var/ as the directory for the VH. This is hardcoding the pool within a VH call. But, its calling the pool via <IfModule mod_fcgid.c> can that be called another way? Normally IfModule’s can be. Hmmm, it seems insecure for a user to name the pool to apply to their directories. ((HENCE, you can’t “load” a module, but if the module is loaded, then… you can call it ???)

Ok, we’re not calling the mod, we’re seeing if its on. the call is for ProxyPassMatch, and no, it can not be called in htaccess

Run as file owner?

CAN’T with php-fpm. YOU MUST USE POOLS:
Apache fast-cgi and php-fpm – Run PHP File as the owner ()
Gotta run as suPHP. or mod_ruip2?

Ok I lost it (OR DID I???), I thought it was VH only, but this is chowning the /www/

Run File as owner: mpm_ITK (Not installed)

Via http://mpm-itk.sesse.net: Some things require Virtual host/ ALl the examples for running as user say in virtual host, but but but then it says this:

MaxClientsVHost can only be set inside a VirtualHost directive; all others can be set wherever you’d like in the Apache configuration, except in .htaccess.

Will AssignUserID: work?
This will cause e.g. /~sesse/foo to be run as the user “sesse” (and /~root/foo to be run as user “root”, so beware!). I guess, don’t have a public_html setup? Also, can /~sesse be sandbox’ed into /public_html. I don’t want access outside of ./public_html?

Can this be used to call a pool as well? It seems like usimg mpm_itk like this will be slow (Non-Threaded) Not that the site is busy enough to need that, but thats the whole point. Be ready to grow as we need without a total rewrite of the settings. SLOW??? but secure at least before we change the user. Each thread, or non-thread/process is isolated.
**Question, is this secure? Can anyone bodge a request /host/docs/~root/**

RewriteEngine on
RewriteRule /~([a-z]+)/ – [E=ITKUID:$1]
AssignUserIDExpr %{reqenv:ITKUID}

NOTE for 2025: as presented by pontikis : How to Run Apache as different User with mpm-itk This was written in 2025, so they’re suggesting “prefork Multi-Processing Module” be used in 2025. Granted with virtual hosts.

Do I need to un-comment this? to do this? 

<IfModule mpm_prefork_module>
        #LoadModule cgi_module lib64/httpd/modules/mod_cgi.so
</IfModule>

NOTE userdir within virtual host

You CAN run <userdir> from within a virtual host, but then all users are running via that pool’s user. No different than just setting the /var/http/ to some user. (Insecure) but still requires a virtual host IP/DNS

Some searches:

Why I can’t use a virtual host!

  • I don’t have a domain name (Or not one to point here)
  • I don’t have a fixed IP address (Hence not easy to point DNS here)
  • Localhost doesn’t allow me to view from a second computer on the subnet

NOTE TO SELF: Multi-Site wordpress instalation??? WIll it save disk space?

Stumbled onto this interesting kludge (Two sites for one? “Userdir with Virtual Host (Apache2)

Maybe he’s trying to get around some virtual host call requirement?)

The poster didn’t describe well, and never up-voted an answer.
Userdir with Virtual Host (Apache2) :
Maybe he’s trying to be sneaky in finding a way to change over to virtual hosts so he can add a pool ??? HMMMMM

Is he trying to say:

  • daytime.myhost.com/~user/ >>> /home/user/public_html/
  • nighttime.myhost.com/~user/ >> home/user/public_html2/

Seems easier to say:

  • myhost.com/~user/daytime >>> /home/user/public_html/daytime
  • myhost.com/~user/nighttime >> home/user/public_html/nighttime

MORE UPDATES for wordpress to run smoothly:

  • I guess I’ll have to do some major re-editing once I get a public page. Maybe I’ll VPN with port forwarding till I can get it to do something else? (Yes, a target I suppose?)
  • In the end, instead of playing with running php as, I just:
    • chgrp -R <the wordpress directory> to the apache group,
    • then chmod -R g+w <the wordpress directory>
    • I will probably have to chown as root various files that wordpress might create as apache
      (OR DANGEROUSLY just edit as root. DAMN YOU, you’re trying to make it secure, but you won’t let me AssignUserId to the actual user id be editing as. Now, I’ll be tempted to su into root. I suppose I need to learn to SUDO – it seems to have some restrictions to protect the system. I did just go ahead and give the <user> sudo privlidges, so we’ll see what habit it use.)
  • Increase size of php uploads from 2m to 8m
  • add to the wp-config.php: define('FS_METHOD', 'direct'); /* allow wordpress to update via php */

This entry was posted in Uncategorized and tagged , , , , , , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *